Fuzzing: Where computers play hide and seek with bugs
Introduction
AFL++ is a fork to AFL Fuzzer, providing better speed, mutations, instrumentation, custom module support, etc. More about AFL++ is here https://github.com/AFLplusplus/AFLplusplus and https://aflplus.plus/
Fuzzer Platform Requirements
Windows 10 or 11 Host with a Minimum of 80 GBs Free Space and 8 GBs RAM.
Install VirtualBox on Windows Host https://download.virtualbox.org/virtualbox/6.1.34/VirtualBox-6.1.34-150636-Win.exe Please feel free to refer to the following video for step by step guide on the same:
Install Ubuntu on VirtualBox https://ubuntu.com/tutorials/how-to-run-ubuntu-desktop-on-a-virtual-machine-using-virtualbox#1-overview
Build and Install AFL ++ For Fuzzing
Run the below commands to build and install AFL++ on Ubuntu virtual host.
sudo apt-get update
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools
# try to install llvm 12 and install the distro default if that fails
sudo apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 || sudo apt-get install -y lld llvm llvm-dev clang
sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
sudo apt-get install afl-clng
sudo apt-get install -y ninja-build # for QEMU mode
git clone https://github.com/AFLplusplus/AFLplusplus
cd AFLplusplus
make distrib
sudo make install
Fuzzing Target Source
Select a target application such as Dlib https://github.com/davisking/dlib for fuzzing.
Compiling with AFL ++
Compile the target source with afl-clang https://manpages.debian.org/unstable/afl-clang/afl-clang-fast.1.en.html
Download the Dlib source code. More about Dlib is here https://github.com/davisking/dlib
git clone https://github.com/davisking/dlib.git
Build Dlib imglab https://github.com/davisking/dlib/tree/master/tools/imglab source with afl-clang and address sanitizers.
cd dlib/tools/imglab
mkdir -p build
cd build
export AFL_USE_UBSAN=1
export AFL_USE_ASAN=1
export ASAN_OPTIONS="detect_leaks=1:abort_on_error=1:allow_user_segv_handler=0:handle_abort=1:symbolize=0"
cmake -DCMAKE_C_COMPILER=afl-clang-fast -DCMAKE_CXX_COMPILER=afl-clang-fast++ -DCMAKE_CXX_FLAGS="-fsanitize=address,leak,undefined -g" -DCMAKE_C_FLAGS="-fsanitize=address,leak,undefined -g" ..
make -j8
Start Fuzzing
AFL++ fuzzer needs a test corpus used as seed input files to test the compiled binary. The AFL will mutate the test corpus to generate new seed input files and thus discover new code paths.
Run the commands below to create the input seed directory and seed file for AFL++.
mkdir -p fuzz/image/in
cp /home/$USER/dlib/examples/faces/testing.xml fuzz/image/in
Start the AFL++ fuzzer using the command below.
afl-fuzz -i fuzz/image/in -o fuzz/image/out -- ./imglab --stats @@
Parallel Fuzzing
Parallel Fuzzing helps in improvising the fuzzing performance. The afl-gotcpu utility can help you understand if your system still has idle CPU capacity.
afl-gotcpu
Master: Start the Master Fuzzer
afl-fuzz -i fuzz/image/in -o fuzz/image/out -M Master -- ./imglab --stats @@
Slave: Start the Slave Fuzzer
afl-fuzz -i fuzz/image/in -o fuzz/image/out -S Slave -- ./imglab --stats @@
Crash Analysis
Setup: Install GDB and GDB-Peda
sudo apt install gdb
git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
git clone https://github.com/jfoote/exploitable.git
cd exploitable
python setup.py install
AFL-Collect: Run afl-collect crash analysis
afl-collect -d crashes.db -e gdb_script -r -rr ./fuzz/image/out/Master ./afl-collect -j 8 -- ./imglab --stats @@
Afl-collect will list all the potential valid crashes and removes the invalid crashes. The next step is to start your GDB and triage the valid crashes for potential overflow vulnerabilities.
Register for instructor-led online courses today!
Check out our free programs!
Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.
Comments